Zaproxy: Add support for GraphQL inspecting/attacking
Is your feature request related to a problem? Please describe.
GraphQL is:
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.
Building a secure GraphQL is not simple - and also it is not simple to assess the security of a given endpoint. This post does a pretty good job describing the different risks with example malicious payload.
Describe the solution you'd like
Use Zap to inspect and attack a given GraphQL endpoint and be able to view alerts.
Describe alternatives you've considered
Manually running different scripts.
omerlh
All 4 comments
Sounds like a good GSoC (or similar) project.
Note that to be supportable any implementation should have unit tests.
psiinon
on 18 Dec 2018
kingthorin
on 4 Feb 2020
Now that there is basic support for GraphQL is there an updated ticket / list of features the GraphQL add-on is still missing and requires further contributions? I'd be interested to see how it is planned to get active scanning support for GraphQL APIs into ZAP.
J12934
on 1 Sep 2020
As per https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap/ @ricekot is planning to keep working on these features :)
psiinon
on 1 Sep 2020
Related issues
g0rbe
路
4Comments
peterphung
路
4Comments
FastNinja
路
4Comments
shervyna
路
3Comments
psiinon
路
3Comments
Most helpful comment
Sounds like a good GSoC (or similar) project.
Note that to be supportable any implementation should have unit tests.